IMPACT ONLINENEWSLETTER

UTMB to add new safeguards for patient privacy

UTMB is adding new computer safeguards to assure patient privacy.

The information security and privacy offices will install a system that continuously monitors electronic access of UTMB’s estimated 2 million patient records and reports any suspicious activity. UTMB already guards the records in a password-protected network secured to thwart outside intruders. The new system is expected to be in place by February.

Employees and others with access to patient records will be briefed before the monitoring starts and asked to acknowledge in an online form that they understand its significance, said Shelly Witter, privacy officer and director of compliance programs.

“Since there is a lot at stake, we want to ensure that employees are aware this capability is coming and that they know when it gets here,” Witter said.

Employees who violate privacy regulations may be disciplined or terminated.

The monitoring will encompass UTMB Health and UTMB’s Correctional Managed Care operation. Systems to be monitored include MyUTMB; Epic, the electronic medical records system; and Invision, the patient scheduling system.

“In actual use, the UTMB monitoring system will apply custom parameters that interpret activity in the records systems and determine if anything looks suspicious,” said Robert Shaffer, director of information security.

Custom parameters help match bits of information that might indicate suspicious behavior, such as employees who access:

Records outside their practice area. For example, an obstetrics/gynecology employee who views the record of a male patient

A neighbor’s record

A record of a patient with the same last name as the employee

Witter said monitoring systems can make errors.

“An individual from the Office of Institutional Compliance will investigate and research any alert to determine whether it’s a ‘false positive’ or indicates inappropriate activity,” she said.

Authorized users of UTMB patient-records systems must sign in to use the systems. Computer logs record masses of information, including the sign-ins of authorized users and the information that a user views. Using the data, the monitoring system can retrieve much information, including:

Time and date of a user’s access

Information viewed

Which workstation was used

The pattern of data searches

With customized parameters in place, for example, the monitoring system can identify whether an employee accessed the records of another employee or VIPs receiving medical care, Shaffer said.

“The system is designed to protect all patients, but it also benefits our employees who are patients and have concerns about their information being inappropriately viewed or used by supervisors or co-workers,” Witter said.

Privacy monitoring has become standard in the health care industry because of the widespread use of electronic medical records systems. Monitoring systems provide protection that the U.S. Department of Health and Human Services requires in its audits to enforce HIPAA, the patient-privacy law.

UTMB itself enforces rules about patient privacy as outlined in the Institutional Handbook of Operating Procedures.

Numerous medical centers have paid millions of dollars in fines and penalties, and dozens of their employees have been fired or prosecuted due to patient-privacy violations in the past few years.

The organization Privacy Rights Clearinghouse reports a rising number of breaches that are traced to employees, contractors or others with legitimate access. Health care centers in the United States, the organization said, reported 84 such incidents since 2010, with two-thirds of them taking place in the last 18 months.

Helpful tips:

Don’t access patient information if it’s not part of your job or assigned duties.

Sign off when you leave a workstation that can access patient information.

Secure any printed patient information before leaving a work area.

Limit your access to only the patient information that is relevant to your job. Example: If you are treating a patient for a broken ankle, you probably don’t need to look at the records of a previous stay relating to the patient’s hand surgery.

Never allow co-workers to use your sign-in and password, even if you log in for them.

Don’t disclose a friend’s patient information to them when it is not part of your job to do so.

Don’t use the patient care system to look up addresses, locations or phone numbers for employees, co-workers or students.

Don’t access a patient’s medical record after your involvement in the patient’s care is over. Example: A student who worked up a history on a patient moves to another rotation, but wants to access the record to see where the patient is now.